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DHCQUALITy  INSPECTED  1 


INTRODUCTION 


The  Information  Assurance  Technology  Analy¬ 
sis  Center  (IATAC)  is  a  Department  of  Defense 
(DoD)  sponsored  Information  Analysis  Center 
(IAC)  that  provides  a  central  point  of  access  for 
scientific  and  technical  information  (STINFO) 
regarding  information  assurance  (IA)  technolo¬ 
gies,  system  vulnerabilities,  research  and  devel¬ 
opment,  and  models  and  analyses.  The  overar¬ 
ching  goal  of  the  IAC  is  to  aid  in  developing  and 
implementing  effective  defenses  against  informa¬ 
tion  warfare  attacks.  IATAC  basic  services 
include  support  for  user  inquiries,  analysis,  main¬ 
tenance,  and  growth  of  the  IA  library;  IA  data¬ 
base  operations;  development  of  technical  and 
state-of-the-art  reports;  and  promotional  aware¬ 
ness  activities,  such  as  newsletters,  conferences, 
and  symposia. 

lACs  are  staffed  by  scientists,  engineers,  and 
information  specialists.  Each  IAC  establishes  and 
maintains  comprehensive  knowledge  bases  that 
include  historical,  technical,  scientific,  and  other 
data  and  information  collected  worldwide.  Infor¬ 
mation  collections  span  a  wide  range  of  unclassi¬ 
fied,  limited  distribution,  and  classified  informa¬ 
tion  appropriate  to  the  requirements  of  sponsor¬ 
ing  technical  communities.  lACs  also  collect, 
maintain,  and  develop  analytical  tools  and  tech¬ 
niques  including  databases,  models,  and  simula¬ 
tions.  Their  collections  and  products  represent 
intensive  evaluation  and  screening  efforts  to  cre¬ 
ate  authoritative  sources  of  evaluated  data. 

This  report  addresses  the  contents  of  the 
Information  Assurance  Tools  Database,  one  of 
the  knowledge  bases  maintained  by  IATAC.  This 
database  hosts  information  on  intrusion  detec¬ 
tion,  vulnerability  analysis,  firewalls,  and  antivirus 
software  applications.  Information  for  this  data¬ 
base  is  obtained  via  open-source  methods, 
including  direct  interface  with  various  agencies, 
organizations,  and  vendors. 


PURPOSE 


This  report  provides  an  index  of  vulnerability 
analysis  tool  descriptions  contained  in  the  IATAC 
Information  Assurance  Tools  Database.  This 
report  summarizes  pertinent  information,  provid¬ 
ing  users  with  a  brief  description  of  available 
tools  and  contact  information.  It  does  not 
endorse  or  evaluate  the  effectiveness  of  each 
tool. 


As  a  living  document,  this  report  will  be  updat¬ 
ed  periodically  as  additional  information  is 
entered  into  the  Information  Assurance  Tools 
Database.  Technical  questions  concerning  this 
report  may  be  addressed  to  James  Green  at 
(703)  902-4887  or  iatac@dtic.mil. 


SCOPE 


Currently  the  IATAC  database  contains 
descriptions  of  35  tools  that  can  be  used  to  sup¬ 
port  vulnerability  and  risk  assessment.  Vulnera¬ 
bility  analysis  tools  are  programs  that  help  auto¬ 
mate  the  identification  of  vulnerabilities  in  a  net¬ 
work  or  system.  Vulnerabilities  can  be  defined 
as  weaknesses  in  a  systems  security  scheme 
exploitation  of  which  would  negatively  affect  the 
confidentiality,  integrity,  or  availability  of  the  sys¬ 
tem  or  its  data.  The  type  and  level  of  detail  of 
information  provided  among  tools  varies  greatly. 
Although  some  can  identify  only  a  minimal  set  of 
vulnerabilities,  others  can  perform  a  greater 
degree  of  analysis  and  provide  detailed  recom¬ 
mended  countermeasures.  More  recently  devel¬ 
oped  tools  provide  user-friendly  front  ends  and 
sophisticated  reporting  capabilities.  The  majority 
of  the  tools  identified  in  the  Information  Assur¬ 
ance  Tools  Database  are  available  on  the  Inter¬ 
net,  and  many  are  used  by  crackers  in  the  first 
stage  of  an  attack:  vulnerability  information  gath¬ 
ering.  Penetration  tools,  which  perform  destruc¬ 
tive  actions  (i.e.,  denial  of  service  attacks),  are 
excluded  from  this  category.  Sniffers,  and  Trojan 
horse  programs  are  also  excluded  from  this  cate¬ 
gory.  Although  many  network  utilities  (i.e.,  host, 
finger)  are  valuable  in  identifying  vulnerabilities 
on  a  host,  they  are  often  an  automated  compo¬ 
nent  of  vulnerability  analysis  tools,  and  therefore 
are  not  individually  described  in  the  database. 

The  database  includes  commercial  products, 
individual-developed  tools,  government-owned 
tools,  and  research  tools.  The  database  was  built 
by  gathering  as  much  open-source  data,  analyz¬ 
ing  that  data,  and  summarizing  information 
regarding  the  basic  description,  requirements, 
availability  and  contact  information  for  each  vul¬ 
nerability  analysis  tool  collected.  Generally,  the 
commercially  developed  products  are  available. 
The  government  and  academic  tools,  however, 
are  reserved  for  specific  projects  and  organiza¬ 
tions.  The  research  group  or  university  deter¬ 
mines,  on  an  individual  case  basis,  the  availabili¬ 
ty  of  these  research  tools.  These  tools  are 
included  in  the  database  solely  to  provide  infor- 
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mation  regarding  existing  approaches  for  vulner¬ 
ability  analysis. 


DATABASE  FORMULATION 


This  section  discusses  the  approach  and 
methodology  used  for  identifying  and  collecting 
the  selected  tools,  the  classification  of  each  type, 
tool  sources,  and  the  structure  of  the  database. 

TOOL  COLLECTION _ 

Information  for  each  tool  was  collected  by 
leveraging  existing  community  relationships. 
Collection  activities  included  Internet  searches  to 
identify  additional  corporations,  government 
agencies,  professional  organizations,  and  univer¬ 
sities  with  involvement  in  vulnerability  analysis. 
Industry  professionals  were  consulted  for  infor¬ 
mation  and  suggestions  for  identifying  and  col¬ 
lecting  available  tools. 

TOOL  CLASSIFICATION _ 

The  vulnerability  analysis  tools  described  in 
the  IATAC  Information  Assurance  Tools  Database 
fall  within  one  or  more  of  the  following  five  class¬ 
es: 

Simple  Vulnerability  Identification  and 
Analysis  A  number  of  tools  have  been  devel¬ 
oped  that  perform  relatively  limited  security 
checks.  These  tools  may  automate  the  process 
of  scanning  Transmission  Control  Protocol/Inter¬ 
net  Protocol  (TCP/IP)  ports  on  target  hosts, 
attempting  to  connect  to  ports  running  services 
with  well-known  vulnerabilities  and  recording  the 
response.  They  also  may  perform  secure  config¬ 
uration  checks  for  specific  system  features  (e.g., 
network  file  system  [NFS]  configuration,  discre¬ 
tionary  access  control  [DAC]  settings).  The  user 
interface  of  these  tools  is  likely  to  be  command¬ 
line  based,  and  the  reporting  may  include  limited 
analysis  and  recommendations.  These  tools  are 
also  likely  to  be  “freeware.” 

Comprehensive  Vulnerability  Identification 
and  Analysis  More  sophisticated  vulnerability 
analysis  tools  have  been  developed  that  are  fair¬ 
ly  comprehensive  in  terms  of  the  scope  of  vul¬ 
nerabilities  addressed,  the  degree  of  analysis 
performed,  and  the  extent  of  recommendations 
made  to  mitigate  potential  security  risks.  Many 
of  these  tools  also  provide  a  user-friendly  graphi¬ 
cal  user  interface. 

War  Dialers  A  war  dialer  consists  of  soft¬ 
ware  that  dials  a  specific  range  of  telephone 
numbers  looking  for  modems  that  provide  a  login 


prompt.  The  tools,  at  a  minimum,  record  the 
modem  numbers  and  login  screen,  but  can  also 
be  configured  to  attempt  brute  force,  dictionary- 
based,  login  attempts.  The  value  of  these  tools 
to  a  system  administrator  is  that  they  automate 
the  process  of  identifying  potential  “back  doors” 
in  a  network.  Some  of  the  tools  described  above 
in  the  “Comprehensive  Vulnerability  Identification 
and  Analysis”  category  include  war  dialers. 

Password  Crackers  Password  cracker  tools 
attempt  to  match  encrypted  forms  of  a  dictionary 
list  of  possible  passwords  with  encrypted  pass¬ 
words  in  a  password  file.  This  is  possible 
because  the  algorithm  used  to  encrypt  operating 
systems’  passwords  is  public  knowledge.  These 
tools  support  system  administrators  by  allowing 
them  to  enforce  password  selection  policies. 

Risk  Analysis  Tools  Risk  analysis  tools  typ¬ 
ically  provide  a  framework  for  conducting  a  risk 
analysis  but  do  not  actually  automate  the  vulner¬ 
ability  identification  process.  These  tools  may 
include  large  databases  of  potential  threats  and 
vulnerabilities  along  with  a  mechanism  to  deter¬ 
mine,  based  on  user  input,  cost-effective  solu¬ 
tions  to  mitigate  risks.  The  vulnerabilities  identi¬ 
fied  using  a  true  “vulnerability  analysis”  tool  may 
be  fed  into  a  risk  analysis  tool. 

TOOL  SOURCES _ 

Tools  and  information  were  identified  from  a 
number  of  sources.  A  representative  sampling  of 
these  sources  includes  the  following: 

COMMERCIAL 


AXENT  Technologies,  Inc. 

Bellcore 

Internet  Security  Systems 
Intrusion  Detection,  Inc. 

NETECT,  Inc. 

RiskWatch 

Secure  Networks  Incorporated  (SNI) 
Somarsoft,  Inc. 

The  Mitre  Corporation 
Trident  Data  Systems 
WheelGroup  Corporation* 


*  On  March  12,  1998,  Cisco  Systems  completed  its 
acquisition  of  WheelGroup  Corporation. 
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GOVERNMENT  AND  PROFESSIONAL 
AGENCIES  AND  RESEARCH  CENTERS 

ACM  SIGSAC  (Special  Interest  Group  on  Securi¬ 
ty,  Audit,  and  Control) 

Air  Force  Information  Warfare  Center 

Defense  Advanced  Research  Projects  Agency 
(DARPA) 

Center  for  Secure  Information  Systems  (CSIS)  at 
George  Mason  University 

Central  Intelligence  Agency 

COAST  Project  at  Purdue  University 

Computer  Security  Research  Laboratory  at  Uni¬ 
versity  of  California  at  Davis 

Computer  Security  Technology  Center  at 
Lawrence  Livermore  National  Laboratory 

Computing  Professionals  for  Social  Responsibili¬ 
ty  (CPSR) 

Defense  Information  Systems  Agency  (DISA) 

Department  of  Energy,  Computer  Incident  Advi¬ 
sory  Capability  (CIAC) 

IEEE-CS  Technical  Committee  on  Security  and 
Privacy 

IFIP  Technical  Committee  6  (Communication 
Systems) 

IFIP  Technical  Committee  11  on  Security  and 
Protection  in  Information  Processing 

IFIP  Working  Group  11.3  on  Database  Security 

IFIP  Working  Group  11.4  on  Network  Security 

Information  Sciences  Institute,  University  of 
Southern  California  School  of  Engineering 

Information  Security  Research  Centre  at 
Queensland  University  of  Technology,  Aus¬ 
tralia 

Information  Systems  Audit  and  Control  Research 
at  CalPoly  Pomona 

Institute  for  Computer  &  Telecommunications 
Systems  Policy  at  The  George  Washington 
University 

International  Association  for  Cryptologic 
Research 

International  Computer  Security  Association 
(ICSA) 


Lawrence  Berkeley  National  Laboratory 

Los  Alamos  National  Laboratory 

National  Institute  of  Standards  and  Technology 
(NIST)  Computer  Systems  Laboratory 

National  Security  Agency 

Navy  Research  Laboratory  Center  for  High 
Assurance  Computer  Systems  (Naval 
Research  Laboratory) 

Navy  Space  and  Naval  Warfare  Systems  Com¬ 
mand  (SPAWAR) 

SIRENE:  Slcherheit  in  REchnerNEtzen  (Security 
in  Computer  Networks)  at  the  University  of 
Hildesheim/IBM  Zurich 

Texas  A&M  University 

U.S.  Army  Office  of  the  Director  of  Information 
Sysiems  for  Command,  Control,  Communica¬ 
tions,  and  Computers  (ODISC4) 

USENIX  &  System  Administrators’  Guild  (SAGE) 

FIRST  (FORUM  OF  INCIDENT  RESPONSE 

AND  SECURITY  TEAMS) _ 

Air  Force  Computer  Emergency  Response  Team 
(AFCERT) 

Army  Computer  Emergency  Response  Team 
(ACERT) 

Australian  Computer  Emergency  Response 
Team  (AUSCERT) 

CERT  Coordination  Center,  Carnegie  Mellon  Uni¬ 
versity 

Computer  Emergency  Response  Team  for  the 
German  Research  Network  (DFN-CERT), 
German  Federal  Networks  CERT,  Germany 

Computer  Incident  Advisory  Capability  (CIAC), 
U.S.  Department  of  Energy 

NASA  Automated  Systems  Incident  Response 
Capability  (NASIRC) 

Naval  Computer  Incident  Response  Team  (NAV- 
CIRT) 

Purdue  University  Computer  Emergency 
Response  Team  (PCERT) 

SURFnet  Computer  Emergency  Response  Team 
(CERT-NL),  Netherlands 

Swiss  Academic  and  Research  Network  CERT, 
Switzerland  (SWITCH-CERT) 
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dix  A  mirrors  the  database  structure  as  defined  in 
the  “Database  Structure”  section  of  this  report. 
The  following  summary  chart  provides  the  name, 
keywords,  and  a  description  of  each  tool. 


Author  Developer  of  the  tool 

Source  Uniform  resource  locator  (URL)  of  the 
primary  source  for  obtaining  the  tool 

Keyword  Terms  used  to  reference  the  tools 
using  the  database  search  engine 

Contact  Information  Name,  organization,  tele¬ 
phone,  facsimile,  e-mail,  and  URL  information  for 
additional  tool  information 

Abstract  Brief  description  of  the  primary  fea¬ 
tures  of  the  tool 

Requirements  System  requirements  for  operat¬ 
ing  the  tool 

Availability  Accessibility  information  including 
procedures  and  pricing  in  some  cases 


DATABASE  STRUCTURE _ 

The  fields  of  the  database  include  the  follow¬ 
ing: 

Title  Name  and  abbreviation  associated  with  the 
tool 


TOOL  SELECTION  CRITERIA 


The  selected  tools  satisfy  the  following  three 
criteria: 

Definition  These  tools  satisfy  the  objective, 
approach,  and  methodology  of  an  vulnerability 
analysis  tool  based  on  the  definition  of  vulnera¬ 
bility. 

Specificity  to  Vulnerability  Analysis  The 

primary  function  of  these  tools  is  vulnerability 
analysis.  They  may  also  be  used  during  the 
early  stages  of  a  penetration  attack  to  identify 
the  target  system’s  weaknesses  and  help  fine- 
tune  the  attack.  However,  penetration  test  tools, 
whose  primary  purpose  is  to  exploit  identified 
vulnerabilities  and  cause  damage  or  destruction 
to  the  target  system,  have  been  excluded. 

Current  Availability  These  tools  are  currently 
available  from  the  Government,  academia,  or 
commercial  sources,  or  as  freeware  on  the  Inter¬ 
net. 


RESULTS 


The  research  for  this  report  identified  35  vul¬ 
nerability  analysis  tools  currently  being  used  and 
available.  Appendix  A  includes  complete  data¬ 
base  output  for  each  tool.  The  content  of  Appen- 
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Ballista 


CheckXusers 


Chkacct 


CONNECT 


DumpAcI 


ICE-PICK 


IdentTCPscan 


IntemetScanner 


Kane  Security 
Analyst  (KSA) 


LOPHTCrack 


Netective 


NetRecon 


NetSonar 


Nfsbug 


Omniguard/ESM 


Perl  Cops 


PINGWARE 


RiskWatch  v7.1 


Secure  Sun 


Snoopy  Tools 


Source  Type 


Commercial 


Individual 


Individual 


Individual 


Individual 


Academia 


Individual 


Individual 


Commercial 


Government 


Contact  v/. 

Organization 


Individual 


Commercial 


Commercial 


Commercial 


Commercial 


Commercial 


Commercial 


Individual 


Individual 


Commercial 


Individual 


Commercial 


Individual 


Individual 


Commercial 


Government 


vulnerability 


comprehensive 
vulnerability  analysis 


vulnerability 

s 


password  cracker 


vulnerability 

s 


vulnerability 

s 


risk  analysis 


comprehensive 


misuse  detection, 
system  monitoring, 
comprehensive 
vulnerability  analysis 


password  cracker 


vulnerability 


vulnerability 


risk  analysis 


comprehensive 
vulnerability  analysis 


vulnerability 

s 


comprehensive 
vulnerability  analysis 


Secure  Networks  Inc. 

sales@secnet.com 

http://www.secnet.com/ 

Bob  Vickers 

R.Vickers@ulcc.ac.uk 

http://www.ulcc.ac.uk/ 

ShabbirSafdar 

shabbir@panix.com 

http://www.panix.com/ 

-shabbir 

unknown 

unknown 

http://www.giga.or.at/pub/ 

hacker/unix 

Dan  Farmer 

security@earthlink.net 

http://www.earthlink.net/ 

company/farmer.htm! 

CERT  Coordination 
Center 

cert@cert.org 

http://www.cert.org/ 

contactinfo.html 

Alec  Muffett 

alec.muffet@uk.sun.com 

http://www.users.dircon.co. 

uk/~crypto/index.html 

Steve  Hotz 

shotz@pollux.usc.edu 

http://www.isi.edu/ 

Somarsoft,  Inc. 

info@somarsoft.com 

http://www.somarsoft.com/ 

Rickey  Roach 

roachr@ncr.disa.mil 

http://www.westhem.disa.mil/ 

-WEY/esprit/ 

Space  and  Naval 
Warfare  System;? 

Center 

questions@infosec. 

navy.mil 

http://infosec.navy.mil/ 

ICEPICK/ 

David  Goldsmith 

daveg@escape.com 

http://www.giga.or.at/pub/ 

hacker/unix 

Patrick  Taylor 

info@iss.net 

http://www.iss.net 

Daniel  Dorr 

info@intrusion.com 

http://www.intrusion.com/ 

contact.htm 

LOPHT  Heavy 

Industries 

HiHdii 

http://www.LOpht.com/ 

LOphtcrack/ 

NETECT  Inc. 

sales@netect.com 

http://www.netect.com 

AXENT  Technologies, 
Inc. 

sundav@axent.com 

http://www.axent.com/ 

info@wheelgroup.com 

http://www.wheelgroup.com/ 
contact/1  contact.html 

Douglas  O’Neal 

Doug.ONeal@jhu.edu 

http://www.jhu.edu/ 

Leendertvan  Doom 

leendert@cs.vu.nl 

http://www.asmodeus.com/ar 

chive/Xnix/nfsbug/nfsbug.c 

AXENT  Technologies, 
Inc 

info@axent.com 

http://www.axent.com/ 

Dan  Farmer 

security@earthlink.net 

http://www.earthlink.net/ 

company/farmer.html 

Bellcore 

telecom- 

info@bellcore.com 

http://telecom- 

info.bellcore.com/ 

Caroline  R.  Hamilton 

riskwatch@riskguard. 

com 

IKBSBHl 

Dan  Farmer 

security@earthlink.net 

http://www.earthlink.net/ 

company/farmer.html 

David  Safford 

d-safford@tamu.edu 

http://www.cs.tamu.edu/ 

W.  Reid  Gerhart 

wrg@mitre.org 

http://www.mitre.org/resource 

s/centers/infosec/infosec.ht 

ml 

Sandy  Spark 

ciac@llnl.gov 

http://ciac.llnl.gov 
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Title 


Strobe 

System  Security 

Scanner _ 

Tiger 

ToneLoc 


Trident  Information 
Protection  Toolbox 


Source  Type 


Individual 

Commercial 

Academia 

Individual 

Commercial 

Government 

Individual 


Attributes 


vulnerability 

s 


war  dialers 

risk  analysis 
risk  analysis 


vulnerability 

is 


Contact 

Organization 


Julian  Assange 

Patrick  Taylor 

Doug  Schales 

Minor  Threat  and 
Mucho  Maas 

Brian  Finan 

Dr.  Donald  R.  Peeples 

unknown 


E-mail 


Doug.Schales@net.tamu. 

edu _ 

mthreat@paranoia.com  - 
or-mthreat@ccwf.cc. 

utexas.edu _ 

Brian_Finan@tds.com 


pendleto@math.ukans. 

edu 


URL 


ftp://coast.cs.purdue.edu/pub 

/tools/unix/strobe/ _ 

http://www.iss.net 

http://www.cs.tamu.edu/ 

ftp://ftp.paranoia.com/pub/ 
toneloc/tl  110.zip 

http://www.tds.com/tb/index. 

html#anal _ 

http://www.nsa.gov/ 


http://www.giga.or.at/pub/ 

hacker/unix 


Ballista 


TITLE _ 

Ballista 

AUTHOR _ 

Secure  Networks  Inc. 

SOURCE _ 

http://www.secnet.com/nav1  b.html 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Alfred  Huger 
Secure  Networks  Inc. 

Suite  330, 1201  5th  Street  SW 
Calgary,  Alberta  CANADA  T2R-0Y6 
Telephone:  403.262.9211 
Facsimile:  403.262.9221 
E-mail:  sales@secnet.com 

URL:  http://www.secnet.com/ 


REQUIREMENTS _ 

Solaris  2.5-2.6,  Linux  2.x,  BSDI  2.x,  OpenBSD 
2.x,  FreeBSD  2.x,  Windows  NT  4.0 

AVAILABILITY _ 

Commercially  available  from  http://www.sec- 
net.com/.  Evaluation  copy  available  from 
http://www.secnet.com/nav1b.html.  Licensing  is 
based  on  a  single  host  or  specific  addresses. 

Up  to  10  addresses  cost  $150,  up  to  50  cost 
$350. 

ABSTRACT _ 

Ballista  is  a  network  security  auditing  tool 
used  to  discover  security  weaknesses  in  net¬ 
worked  environments.  Ballista  uses  extensive 
domain  name  system  (DNS)  auditing  to  map 
intranets  and  perform  port  scans.  Vulnerability 
checks  include  file  transfer  protocol  (FTP),  Web 
Servers,  Sendmail,  RPC,  NFS,  NetBIOS,  and 
network  devices  such  as  routers  and  bridges. 
Ballista  also  allows  users  to  determine  whether 
the  filters  of  a  firewall  are  securely  configured 
and  have  password-guessing  routines. 

Secure  Networks  has  developed  a  customiz¬ 
able  tool  included  with  Ballista,  the  Custom 
Auditing  Packet  Engine  (CAPE).  CAPE  can  per¬ 
form  complex  protocol-level  spoofing  and  attack 
simulations.  CAPE  also  enables  users  to  gener¬ 
ate  tool-sets  onthefly  to  address  unique  network 
implementations.  It  can  use  custom  scripts  to 
verify  the  integrity  of  Access/Choke  routers,  filter¬ 
ing  firewalls  (statefull  inspection  or  otherwise), 
etc.  This  modular  architecture  also  allows 
Secure  Networks  to  update  Ballista  easily  and 
efficiently.  Ballista’s  biweekly  updates  include 
new  vulnerability  checks  and  features. 
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CheckXusers 


TITLE 


CONTACT  INFORMATION 


CheckXusers 

AUTHOR _ 

Bob  Vickers 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/ 

KEYWORDS _ 

simple  vulnerability  analysis 


Bob  Vickers 

University  of  London  Computer  Centre 
20  Guilford  Street 
London  ENGLAND  WC1N  1DZ 
Telephone:  0171.692.1000 
Facsimile:  0171.692.1234 
E-mail:  R.Vickers@ulcc.ac.uk 

URL:  http://www.ulcc.ac.uk/ 


REQUIREMENTS _ 

UNIX  (Perl  script);  no  special  privileges;  net- 
stat  command  in  PATH  variable. 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs.purdue. 
edu/pub/tools/unix/checkXusers.Z 

ABSTRACT: _ 

CheckXusers  identifies  users  logged  onto  the 
current  machine  from  insecure  X  servers.  It 
enables  system  administrators  to  determine 
whether  users  are  exposing  themselves,  and 
hence  the  system,  to  unacceptable  risks.  It 
should  be  run  from  an  ordinary  user  account,  not 
root.  It  assumes  that  the  netstat  command  is 
somewhere  in  the  PATH  prior  to  execution. 
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Chkacct 


TITLE  _ 

Chkacct 

AUTHOR _ 

Shabbir  Safdar 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/chkac- 
ct / 

KEYWORDS _ 

simple  vulnerability  analysis 


CONTACT  INFORMATION 

Shabbir  Safdar 

The  Voters  Telecommunications  Watch 
233  Court  Street  #2 
Brooklyn,  NV 11201 
Telephone:  718.596.2851 
Facsimile:  n/a 

E-mail:  shabbir@panix.com 

URL:  http://www.panix.com/~shabbir 


REQUIREMENTS _ 

UNIX  (Perl  script);  Audits  account  from  which 
it  is  run. 

AVAILABILITY _ 

Freely  available  from 

ftp://coast.cs.purdue.edu/  pub/tools/unix/chkac- 
ct/chkacct.vl  .1  .tar.Z 

ABSTRACT: _ 

Chkacct  was  designed  to  complement  tools 
like  COPS  and  Tiger  that  check  for  configuration 
problems  in  an  entire  system.  Chkacct  is 
designed  to  check  the  settings  and  security  of 
the  current  user’s  account.  It  identifies  potential 
problems  with  the  accounts  security  and  pro¬ 
vides  explanations  of  how  to  fix  them.  It  may  be 
preferable  to  have  a  security  administrator  ask 
problem  users  to  run  chkacct  rather  than  directly 
alter  files  in  their  home  directories. 

Chkacct  allows  the  user  to  check  the  security 
of  his  or  her  account  quickly.  It  can  be  run  out  of 
a  crontab  in  “harmless”  mode  and  the  output 
mailed  to  the  user. 

Chkacct  checks  the  home  directory  for  certain 
important  “dot”  files  as  well  as  searching 
throughout  the  entire  home  directory  for  files  with 
all-user  write  permissions. 
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CONNECT 


TITLE 


CONTACT  INFORMATION 


CONNECT 

AUTHOR _ 

Unknown 

SOURCE _ 

http://www.giga.or.at/pub/hacker/unix 

KEYWORDS _ 

simple  vulnerability  analysis 


Name:  Unavailable 

Address:  Unavailable 

Telephone:  Unavailable 

Facsimile:  Unavailable 

E-mail:  Unavailable 

URL:  Unavailable 


REQUIREMENTS _ 

UNIX  (C  source  code) 

AVAILABILITY _ 

Freely  available  from  http://www.giga.or.at/ 
pub/hacker/unix/connect.tar 

ABSTRACT: _ 

This  /bin/sh  shell  script  scans  a  range  of  Inter¬ 
net  Protocol  (IP)  addresses  for  machines  that 
offer  the  Trivial  File  Transfer  Protocol  (TFTP) 
service.  Although  typically  disabled,  this  service 
is  generally  considered  insecure  and  can  be 
exploited  to  extract  system  files  including 
/etc/passwd  and  other  critical  system  files.  If 
CONNECT  finds  a  machine  running  TFTP,  it  will 
automatically  attempt  to  download  the  /etc/pass¬ 
wd  file  to  determine  whether  the  system  is  vul¬ 
nerable. 
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COPS 


TITLE _ 

Computer  Oracle  and  Password  System 
(COPS) 

AUTHOR _ 

Dan  Farmer 

SOURCE _ 

ftp://  ftp.cert.org 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Dan  Farmer 
3100  New  York  Drive 
Pasadena,  CA  91107 
Telephone:  626.296.2400 
Facsimile:  626.296.4130 
E-mail:  security@earthlink.net 

URL:  http://www.earthlink.net/ 

company/farmer.html 


REQUIREMENTS _ 

UNIX  (Perl  script) 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs. purdue. 
edu/  pub/tools/unix/cops/ 

ABSTRACT _ 

Computer  Oracle  and  Password  System 
(COPS)  is  a  security  toolkit  that  examines  a  sys¬ 
tem  for  a  number  of  known  weaknesses  and 
alerts  the  system  administrator  to  them.  In  some 
cases  it  can  automatically  correct  these  prob¬ 
lems.  COPS  identifies  security  vulnerabilities 
and  checks  for  empty  passwords  in  /etc/passwd, 
files  with  all-user  write  permissions,  misconfig- 
ured  anonymous  ftp’s,  and  many  other  area. 
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CPM 


TITLE 


CONTACT  INFORMATION 


Check  Promiscuous  Mode  (CPM) 

AUTHOR _ 

CERT  Coordination  Center 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/ 

KEYWORDS _ 

simple  vulnerability  analysis 


CERT  Coordination  Center 
Software  Engineering  Institute 
Carnegie  Mellon  University 
Pittsburgh,  PA  15213-3890 
Telephone:  412.268.7090 

Facsimile:  412.268.6989 

E-mail:  cert@cert.org 

URL:  http://www.cert.org/pub/aboutcert/ 

contactinfo.html 


REQUIREMENTS _ 

UNIX  (C  source  code),  no  special  privileges 

AVAILABILITY _ 

Freely  available  from 

ftp://coast.cs.purdue.edu/  pub/tools/unix/cpm/. 

ABSTRACT _ 

Check  Promiscuous  Mode  (CPM)  checks 
whether  any  network  interface  on  a  host  is  in 
promiscuous  mode.  A  host  in  promiscuous 
mode  can  view  all  network  traffic  passing 
through  its  branch.  CPM  uses  standard  BSD 
UNIX  socket  (2)  and  ioct1(2)  system  calls  to 
determine  a  system’s  configured  network  inter¬ 
faces  and  reports  whether  any  of  the  network 
interfaces  are  currently  in  promiscuous  mode. 

CPM  identifies  the  number  of  interfaces  found, 
the  name  of  each  interface,  and  whether  each 
interface  is  in  normal  or  promiscuous  mode.  It 
returns  the  number  of  discovered  promiscuous 
interfaces  as  its  exit  status.  No  special  privi¬ 
leges  are  required  to  invoke  CPM. 
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Crack 


TITLE _ 

Crack 

AUTHOR _ 

Alec  Muffett 

SOURCE _ 

ftp://ftp.cert.org/pu  b/tools/crack/ 

KEYWORD _ 

password  cracker 


CONTACT  INFORMATION 

Alec  Muffett 

Sun  Microsystems  Ltd. 

Sun  House 

306  Cambridge  Science  Park 
Milton  Road 
Cambridge  CB4  4WG 
ENGLAND 

Telephone:  01223.420421 
Facsimile:  01223.420058 
Email:  alec.muffet@uk.sun.com 

URL:  http://www.users.dircon.co.uk/ 

—cry  pto/i  ndex.  html 


REQUIREMENTS _ 

UNIX  (C  source  code,  Perl  script).  Tested  on 
Solaris,  Linux,  FreeBSD,  NetBSD,  OSF,  and 
Ultrix.  Root  privileges  to  execute. 

AVAILABILITY _ _ 

Freely  available  from  ftp://ftp.cert.org/pub/ 
tools/crack/ 

ABSTRACT: _ 

Crack  is  a  password-cracking  program  with  a 
configuration  language  that  allows  the  user  to 
program  the  types  of  guesses  attempted.  Crack 
is  designed  to  quickly  locate  vulnerabilities  in 
UNIX  (or  other)  password  files  by  scanning  the 
contents  of  a  password  file  and  testing  entries  for 
weak  (i.e.,  dictionary)  passwords. 

Crack  helps  the  system  administrator  identify 
weak  passwords  by  checking  for  various  weak¬ 
nesses  and  attempting  to  decrypt  them.  Sys¬ 
tems  employing  shadowing  password  schemes 
are  much  harder  to  crack. 

Crack’s  general  procedure  is  to  take  as  its 
input  a  series  of  password  files  and  source  dic¬ 
tionaries.  It  merges  the  dictionaries,  turns  the 
password  files  into  a  sorted  list,  and  generates 
lists  of  possible  passwords  from  the  merged  dic¬ 
tionary.  Crack  makes  many  individual  passes 
over  the  password  entries  supplied  as  input. 

Each  pass  generates  password  guesses  based 
on  a  sequence  of  rules. 

Features  include  Eric  Young’s  “libdes”  encryp¬ 
tion  routines,  an  application  programming  inter¬ 
face  (API)  for  ease  of  integration  with  arbitrary 
crypt()  functions,  API  for  ease  of  integration  with 
arbitrary  passwd  file  format,  considerably  better 
gecos-field  checking,  more  powerful  rule  sets, 


ability  to  read  dictionaries  generated  by  external 
commands,  better  recovery  mechanisms  for  jobs 
interrupted  by  crashes,  improved  control  (e.g., 
disable  during  working  hours).  In  addition,  it 
comes  bundled  with  Crack6  (minimalist  pass¬ 
word  cracker)  on  with  Crack7  (brute  force  pass¬ 
word  cracker). 
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DOC 


TITLE _ 

Domain  Obscenity  Control  (DOC) 

AUTHORS _ 

Steve  Hotz 
Paul  Mockapetris 

SOURCE _ 

http://csrc.nist.gov/tools/tools.htm 

KEYWORDS _ 

simple  vulnerability  analysis 


CONTACT  INFORMATION 

Steve  Hotz 
Paul  Mockapetris 

University  of  Southern  California  School  of 
Engineering  Information  Sciences  Institute 
4676  Admiralty  Way,  Suite  1001 
Marina  del  Rey,  CA  90292-6695 
Telephone:  310.822.1511 
Facsimile:  310.823.6714 
E-mail:  shotz@pollux.usc.edu 

URL:  http://www.isi.edu/ 


REQUIREMENTS _ 

UNIX  (csh  script) 

Version  2.0  of  the  DNS  query  tool  “dig” 
domain  Internet  groper 

AVAILABILITY _ _ 

Freely  available  at  ftp://coast.cs.purdue.edu 
/pub/tools/unix/doc.2.0.tar.z 

ABSTRACT: _ 

Domain  Obscenity  Control  (DOC)  diagnoses 
misconfigured  domains  by  sending  queries  to  the 
appropriate  domain  name  system  (DNS)  name 
servers  and  performing  simple  analysis  on  the 
responses.  DOC  verifies  a  domain’s  proper  con¬ 
figuration  and  that  it  is  functioning  correctly.  The 
domain  name  must  be  valid.  Some  changes  to 
the  script  must  be  made  including  the  first  few 
aliases  and  pointers  to  directories. 

DOC-V.2.0  is  an  initial  implementation  of  an 
automated  domain  testing  tool. 
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DumpAcl 


TITLE 


CONTACT  INFORMATION 


DumpAcl 

AUTHOR _ 

Somarsoft,  Inc. 

SOURCE _ 

http://www.somarsoft.com/ 

KEYWORD _ 

simple  vulnerability  analysis 


Somarsoft,  Inc. 

P.0.  Box  642278 
San  Francisco,  CA  94164-2278 
Telephone:  415.776.7315 
Facsimile:  415.776.7328 
E-mail:  info@somarsoft.com 

URL:  http://www.somarsoft.com/ 


REQUIREMENTS _ 

Windows  NT  3.51  or  4.0  (i386  and  Alpha  plat¬ 
forms).  Targets  Windows  NT  (any  platform). 

AVAILABILITY _ 

Shareware  version  freely  available  from 
http://www.somarsoft.com/.  Shareware  version 
is  fully  functional  except  for  printing.  V2.7  adds 
enhancements  and  bug  fixes  for  $99. 

ABSTRACT: _ 

Somarsoft  DumpAcl  dumps  the  permissions 
and  audit  settings  for  the  Windows  NT  file  sys¬ 
tem,  registry,  user/group  information,  and  print¬ 
ers  in  a  concise,  readable,  listbox  format  so  the 
user  can  identify  readily  apparent  security  vul¬ 
nerabilities. 

Somarsoft  DumpAcl  provides  a  solution  to  the 
problem  of  having  too  many  files  and  registry 
keys  to  manually  check  on  a  regular  basis. 
Unnecessary  system,  file,  and  directory  access 
can  be  identified  from  the  tool’s  output. 
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ESPRIT 


TITLE _ 

Expert  System  for  Progressive  Risk  Identifica¬ 
tion  Techniques  (ESPRIT) 

AUTHOR _ 

Joint  Information  Service  Center  of  DISA 

SOURCE _ 

http://www.westhem.disa.mil/~WEY/esprit/ 

KEYWORD _ 

risk  analysis 


CONTACT  INFORMATION 

Rickey  Roach 

Defense  information  Systems  Agency 
Alexandria,  VA  22204 
Telephone:  703.607.4215 
Facsimile:  n/a 
E-mail:  roachr@ncr.disa.mil 

esprit@ncr.disa.mil 
URL:  http://www.westhem. 

disa.mil/~WEY/esprit/ 


REQUIREMENTS  A  userid  and  password  must  be  obtained  (this 

IBM-compatible  PC  386,  MS-DOS  version  3.3  can  be  done  from  the  Web  Pa9e) to  download 

or  higher,  1 3  MB  of  disk  space,  2  MB  RAM  the  Pro9ram  from  the  Web  site- 

AVAILABILITY _ 

Available  to  approved  Government  agencies 
from  http://www.westhem.disa.mil/~WEY/  esprit/ 

ABSTRACT _ 

ESPRIT  was  developed  for  the  Joint  Staff 
Support  Center  (JSSC)  in  support  of  its  continu¬ 
ing  efforts  to  define  and  develop  cost-effective 
procedures  to  assist  in  performing  risk  analysis. 

ESPRIT  is  a  risk  analysis  and  risk  management 
tool  to  aid  Department  of  Defense  (DoD)  risk 
analysts  in  performing  automated  information 
systems  (AIS)  risk  analysis. 

ESPRIT  checks  for  risk-management  compli¬ 
ance  and  is  an  automated  tool  to  conduct  certifi¬ 
cation.  It  provides  a  detailed  analysis  of  an  infor¬ 
mation  system  in  terms  of  assets,  threats  to 
assets,  vulnerabilites,  and  countermeasure  rec¬ 
ommendations.  ESPRIT  analysis  indicates  the 
current  security  level  and  gathers  data  needed  to 
select  adequate  and  cost-effective  safeguards.  It 
includes  a  database  of  pre-ranked  vulnerabilities 
in  order  of  their  relative  severity  (i.e.,  high,  medi¬ 
um,  or  low).  The  program  posts  the  ranking  of 
each  vulnerability  identified  on  the  target  system. 

ESPRIT’s  database  also  contains  countermea¬ 
sure  statements  and  descriptions.  With  prede¬ 
fined  links  between  the  vulnerabilities  and  the 
appropriate  countermeasures.  Answers  to  the 
initial  questionnaires  trigger  an  automatic  linkup 
between  an  inferred  vulnerability  and  its  associ¬ 
ated  appropriate  countermeasure. 
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ICE-PICK 


TITLE _ 

ICE-PICK 

AUTHOR _ 

SPAWAR 

SOURCE _ 

http://infosec.navy.mil/ICEPICK/ 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Commanding  Officer 
Code  72 

Space  and  Naval  Warfare  Systems  Center 
Charleston  SC  (SPAWARSYSCEN) 

PO.  Box  190022 

North  Charleston,  SC  29419-9022 
Telephone:  800.304.4636 
Facsimile:  n/a 

E-mail:  questions@infosec.navy.mil 

URL:  http://infosec.navy.mil/ICEPICK/ 


REQUIREMENTS _ 

Version  1.2-  UNIX  running  Sunos  4.1.x,  4MB 
RAM;  graphical  interface  such  as  Motif,  Open- 
windows,  orXwindows;  version  1.3  -  Alpha 
Developments;  portability  to  HP-UX  version  10 

AVAILABILITY _ 

Available  to  approved  Government  agencies 
from  ftp://infosec.navy.mil/pub/DOCs/navy 
/ice_req.DOC 

ABSTRACT _ 

ICE-PICK  is  U.S.  Government  property  and  is 
strictly  controlled  by  SPAWAR  for  official  Govern¬ 
ment  use  only.  Unauthorized  use,  distribution, 
reproduction,  or  possession  may  be  grounds  for 
criminal  prosecution  including  imprisonment. 

The  complete  ICE-PICK  package  is  a  security 
tool,  for  use  by  the  system  administrator  tin  iden¬ 
tifying  and  fixing  potential  vulnerabilities. 

ICE-PICK  is  an  automated  security  tool  used 
for  evaluating  the  vulnerabilities  of  network- 
based  systems  that  use  TCP/IP.  The  tool  is 
used  to  evaluate  and  rate  the  vulnerability  of 
individual  systems  to  various  security  threats  that 
may  be  applied. 

ICE-PICK  is  being  distributed  by  the  SPAWAR 
Systems  Center  Charleston  SC  to  all  Navy  and 
Marine  units.  A  Memorandum  of  Agreement 
must  be  signed  by  each  requesting  activity  prior 
to  release  of  the  tool. 
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IdenTCPscan 


TITLE _ 

IdentTCPscan 

AUTHOR _ 

David  Goldsmith 

SOURCE _ 

http://www.giga.or.at/pub/hacker/unix 

KEYWORDS _ 

simple  vulnerability  analysis 


CONTACT  INFORMATION 

David  Goldsmith 
Address:  Unavailable 

Telephone:  Unavailable 

Facsimile:  Unavailable 

E-mail:  daveg@escape.com 

URL:  Unavailable 


REQUIREMENTS _ 

UNIX  (C  source  code).  Tested  on  BSDI,  Linux 
2.x,  and  SunOS  4.1.x. 

AVAILABILITY _ 

Freely  available  from  http://www.giga.or.at/ 
pub/hacker/unix/identTCPscan.c.gz 

ABSTRACT _ 

IdentTCP  scans  remote  hosts  for  active  Trans¬ 
mission  Control  Protocol  (TCP)  services.  In 
addition,  the  tool  attempts  to  determine  the  UID 
of  the  running  processes.  Processes  that  exe¬ 
cute  as  root  will  be  targeted  first  by  system 
crackers,  because  any  manipulation  of  those 
services  is  more  likely  to  give  root  access  to  the 
system.  System  administrators  can  use  this  utili¬ 
ty  to  determine  which  services  may  be  targeted 
and  then  evaluate  the  necessity  of  running  the 
service  as  root.  Output  is  comprehensive  and 
easy  to  read. 
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Internet  Scanner 


TITLE 


CONTACT  INFORMATION 


Internet  Scanner 

AUTHOR _ 

Internet  Security  Systems 

SOURCE _ 

http://www.iss.net/prod/isb.html 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


Patrick  Taylor 
41  Perimeter  Center  East 
Suite  660 
Atlanta,  GA  30346 
Telephone:  770.395.0150 
Facsimile:  770.395.1972 
E-mail:  info@iss.net 

URL:  http://www.iss.net 


REQUIREMENTS _ 

Windows  NT  4.0,  IBM  AIX™  3.25  and  higher, 
HP-UX  9.05  and  higher,  Sun  Solaris  2.3  and 
higher,  Sun  Solaris  x86,  SunOS  4.1.3  and  higher, 
Linux  1.2x  and  1.3x  (with  kernel  patch),  and 
Linux  1. 3.7.6  and  higher  (no  patch  required). 

Disk  space/memory  requirements:  Windows  NT 
(10/24  MB);  UNIX  (5/24  MB). 

AVAILABILITY _ 

Commercial,  single-host  web  scans  cost 
approximately  $1 ,500.  Evaluation  copy  available 
from  http://www.iss.net 

ABSTRACT _ 

The  Internet  Scanner  tool  set  focuses  on  iden¬ 
tifying  and  addressing  network  vulnerabilities. 
They  perform  scheduled  and  selective  probes  of 
network  communication  services,  operating  sys¬ 
tems,  key  applications,  and  routers  in  search  of 
common  vulnerabilities  that  open  the  network  to 
attack.  Internet  Scanner  analyzes  vulnerability 
conditions  and  provides  sets  of  corrective  action, 
trends  analysis,  conditional  and  configuration 
reports,  and  data  sets. 

Internet  Scanner  consists  of  three  integrated 
modules  for  scanning  intranets,  scanning  fire¬ 
walls,  and  scanning  Web  servers.  These  mod¬ 
ules  are  available  singly,  or  as  part  of  the  Inter¬ 
net  Scanner  bundle. 

Internet  Scanner’s  intranet  module  is  a  net¬ 
work  security  assessment  tool  designed  to  auto¬ 
matically  detect  potential  network  vulnerabilities 
using  an  extensive  battery  of  penetration  tests. 
This  graphical  software  utility  provides  a  repeat- 
able  and  reliable  method  of  assessing  the  securi¬ 
ty  configuration  of  systems. 


Internet  Scanner’s  firewall  module  helps  maxi¬ 
mize  a  firewall’s  protection  by  allowing  the  user 
to  test  for  dozens  of  known  vulnerabilities  and 
misconfigurations.  Its  analysis  tools  and  graphi¬ 
cal  user  interface  indicate  where  the  firewall  is  at 
risk  and  recommend  how  to  control  the  security 
exposure.  Internet  Scanner  also  provides  “ser¬ 
vice”  scans  identifying  all  network  services 
enabled  across  the  firewall. 

Internet  Scanner’s  Web  server  module  helps 
harden  Web  servers  with  a  suite  of  analytical 
tools  that  reports  potential  vulnerabilities  and 
misconfigurations  and  suggests  methods  of 
reducing  system  exposure.  Internet  Scanner 
audits  and  tests  the  operating  system  running 
the  Web  servers,  the  Web  server  application 
itself,  and  CGI  scripts  in  the  Web  applications. 
Security  vulnerabilities  in  the  Web  site  are  identi¬ 
fied  in  a  comprehensive  Hyper-Text  Markup  Lan¬ 
guage  (HTML)  report  describing  the  vulnerabili¬ 
ties  along  with  recommended  corrective  actions. 
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KSA 


TITLE 


CONTACT  INFORMATION 


Kane  Security  Analyst  (KSA) 

AUTHOR _ 

Intrusion  Detection  Incorporated 

SOURCE _ 

http://www.intrusion.com/product/ksa_nt.htm 

KEYWORDS _ 

misuse  detection,  system  monitoring,  compre¬ 
hensive  vulnerability  analysis 


Daniel  Dorr 

Intrusion  Detection,  Inc. 

217  E  86th  St.,  Suite  213 
New  York,  NY  10028 
Telephone:  212.348.8900.x302 

Facsimile:  212.427.9185 

E-mail:  info@intrusion.com 

URL:  http://www.intrusion.com/ 

contact.htm 


REQUIREMENTS _ 

Windows  NT.  Targets  Windows  NT  and  Novell 
Netware. 

Root  privileges 

AVAILABILITY _ 

Commercially  available  from  http://www.intm- 
sion.com 

ABSTRACT: _ 

KSA  assesses  the  security  status  of  a  Novell 
and  Windows  NT  network  and  generates  reports 
in  six  areas:  password  strength,  access  control, 
user  account  restrictions,  system  monitoring, 
data  integrity,  and  data  confidentiality. 

The  database  of  known  vulnerabilities  that 
KSA  uses  contains  password  cracking  tests,  per¬ 
missions  across  domains,  C2  security,  trust  rela¬ 
tionships,  event  logs,  insecure  partitions,  audit 
policy  compliance,  uninterruptible  power  supply 
(UPS)  status,  excessive  rights,  registry  security 
settings,  guest  ID  configuration,  and  NT  ser¬ 
vices. 

New  features  include  an  interactive  registry 
assessment,  access  control  list  (ACL)  maps,  and 
Kane  File  Rights  for  NTFS  volumes.  The  Kane 
File  Rights  is  an  interactive  tool  included  with  the 
KSA  that  allows  the  user  to  automatically  audit 
rights  and  privileges  associated  with  various 
users,  groups,  and  directories.  The  report  gen¬ 
erated  by  this  audit  includes  percentages  of 
compliance  with  the  settings  entered  by  the  user. 
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LOPHTCrack  2.0 


TITLE _ 

LOPHTCrack  2.0 

AUTHOR _ 

LOPHT  Heavy  Industries 

SOURCE _ 

http://www.LOpht.com/LOphtcrack/ 

KEYWORD _ 

password  cracker 


CONTACT  INFORMATION 

LOpht  Heavy  Industries 
P.O.  Box  990857 
Boston,  MA  02199 
Telephone:  Unavailable 
Facsimile:  Unavailable 
E-mail:  info@LOpht.com  & 

admin@LOpht.com 
URL:  http://www.LOpht.com/ 


REQUIREMENTS _ 

Windows  95/NT  4.0,  source  code  available  for 
UNIX  (command  line  only).  Targets  Windows  NT 
4.0. 

AVAILABILITY _ 

Shareware  with  a  15-day  free  trial  period,  $50 
registration  fee. 

ABSTRACT _ 

This  is  a  comprehensive  password  cracker  for 
Windows  NT  system  and  local  area  network 
(LAN)  manager  passwords.  The  latest  version 
has  the  builtin  capability  to  extract  encoded 
passwords  from  registry  SAM  files  as  well  as 
directly  from  the  system  registry.  Once  pass¬ 
words  have  been  extracted,  they  are  subject  to  a 
configurable  brute  force  password  attack. 
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Netective 


TITLE 


Netective 

AUTHOR 

NETECT  Inc. 

SOURCE 

http://www.netect.com/ 

KEYWORDS 

simple  vulnerability  analysis 

CONTACT  INFORMATION 

NETECT  Inc. 

212  Northern  Avenue 

West  1 ,  Suite  300 

Boston,  M A  02210 

Telephone:  617.753.7370 

Facsimile:  617.753.7350 

E-mail:  sales@netect.com 

URL:  http://www.netect.com 


REQUIREMENTS _  _  and  their  recommended  corrective  actions  are  all 

SunOS  4.14,  Solaris  2.5.1,  HP  UX  10.x,  Win-  presented  in  rich  hypertext, 
dows  NT.  50  MB  free  hard  disk  space,  64  MB 
minimum  RAM,  access  to  a  local  CD-ROM  drive. 

JAVA-compatible  UNIX,  HTML  browser,  GUI 
(graphical  user  interface)  for  UNIX  (e.g.,  X-Win- 
dows,  Motif),  root  privileges. 

AVAILABILITY _ 

Commercially  available  from 
http://www.netect.com/ 

ABSTRACT _ 

Netective  identifies  security  vulnerabilities  at 
both  the  operating  system  level  and  the  network 
level.  Netective  validates  the  system  using  MD5 
checksums  and  other  security  checks  on  system 
files,  operating  system  patches,  file  permissions, 
and  system  passwords.  Netective  includes  a 
dictionary-based  password  cracker. 

Netective  modules  include  the  following: 

The  Network  Module  maps  all  ports  to  detect 
potential  weak  points.  Each  detected  port  is  sub¬ 
jected  to  appropriate  hacking  attempts  by  the 
port  checker.  Special  care  is  given  to  specific 
services  such  as  NFS  and  RPC. 

The  Operating  System  Module  checks  system 
files,  patches,  MD5  checksums,  permissions, 
and  passwords  across  the  system. 

The  Database  Module  contains  a  library  of 
security  vulnerabilities  and  their  respective  fixes 
and/or  patches.  It  is  updated  regularly  by 
NETECT. 

A  Graphical  User  Interface  Module  displays 
system  status  and  analysis.  Detected  breaches 
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NetRecon 


TITLE _ 

NetRecon 

AUTHOR _ 

AXENT  Technologies,  Inc. 

SOURCE _ 

http://www.axent.com/netrecon/html/order- 

form.htm 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

AXENT  Technologies,  Inc. 

2400  Research  Boulevard 
Rockville,  MD  20850 
Telephone:  301.258.5043 
Facsimile:  301.330.5756 
E-mail:  sundav@axent.com 

URL:  http://www.axent.com/ 


REQUIREMENTS _  small/large  dictionary,  local  disks  mountable  via 

Operates  on  Windows  NT.  Targets  UNIX  and  smb,  NetWare  notification  password  trap  possi- 
Windows  NT  servers,  NetWare  networks,  Win-  ble,  anc*  P01"*  [number]  active, 
dows  workstations,  mid-range  systems,  main¬ 
frames,  routers,  gateways,  Web  servers,  fire¬ 
walls,  name  servers,  and  others. 

AVAILABILITY _ 

Commercially  available  from  http://www.axent. 
com/netrecon/html/orderform.htm  and  priced  at 
$1,995  for  limited  scan  of  a  single  class  C  net¬ 
work  or  $9,995  for  a  license  to  scan  an  unlimited 
number  of  networks.  Demo  available  from 
http://www.axent.com/netrecon/surveyde.htm. 

ABSTRACT _ 

OmniGuard/NetRecon  runs  on  a  Windows  NT 
workstation  and  probes  networks  and  network 
resources.  NetRecon  performs  internal  and 
external  scans  of  the  network.  UltraScan 
exploits  multiple  protocols  and  methods  to  detect 
vulnerable  network  resources.  NetRecon  exe¬ 
cutes  parallel  scans  of  the  network  systems, 
devices,  servers,  firewalls,  etc.,  for  common  vul¬ 
nerabilities.  NetRecon’s  probes  are  organized 
into  a  hierarchy.  For  example,  one  process  looks 
for  password  information  from  an  NIS  server, 
another  process  tries  to  crack  passwords,  while 
a  third  looks  for  servers  with  rlogin  (remote  login) 
services  to  see  whether  the  cracked  user  pass¬ 
words  will  provide  access. 

A  few  of  the  vulnerabilities  that  NetRecon 
checks  for  include  resources  discovered,  exec 
service  enabled,  smtp  decode  alias  enabled,  null 
session  access  obtained,  user  level  access 
obtained,  discovered  system  type,  nis  encrypted 
password  obtained,  password  cracked  using 
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NetSonar 


TITLE _ 

NetSonar 

AUTHOR _ 

WheelGroup  Corporation 
Acquired  by  Cisco  Systems  on  3/12/98 

SOURCE _ 

http://www.wheelgroup.com/netsonar/sonar.html 

KEYWORD _ 

comprehensive  vulnerability  analysis 


REQUIREMENTS _ 

Solaris  2.5x  or  2.6.  Hardware:  32  MB  RAM,  2 
GB  hard  drive,  TCP/IP  network  interface,  CD- 
ROM  drive,  HTML  browser 

AVAILABILITY _ 

Commercially  available  with  an  entry  class  “C” 
license  starting  at  $2,995. 

ABSTRACT _ 

NetSonar  is  a  vulnerability  scanner  and  net¬ 
work  mapping  system.  Using  NetSonar  from  a 
central  console,  the  user  can  assess  the  security 
state  of  an  enterprise’s  entire  network,  track  his¬ 
torical  vulnerability  trends,  and  create  reports  of 
potential  security  risks. 

Launched  from  an  intuitive  graphical  user 
interface  at  a  central  console,  NetSonar  runs  in 
either  manual  or  automatic  mode.  It  can  also  run 
specialized  profiles  to  look  for  certain  sets  of  vul¬ 
nerabilities,  which  enables  the  user  to  quickly 
determine  whether  the  vulnerabilities  previously 
detected  still  exist. 

NetSonar  can  scan  a  large  number  of  range  of 
unspecified  Internet  Protocol  (IP)  addresses. 
NetSonar  can  comprehensively  scan  all  systems 
on  a  network,  including  all  firewalls,  web  servers, 
routers,  switches,  and  other  systems.  NetSonar 
Entry  provides  all  of  the  same  capabilities  as 
NetSonar  but  allows  for  unlimited  scanning  of 
only  one  specific  class  C  network  address  range 
(up  to  254  computer  systems)  assigned  by  the 
user  during  installation. 

To  protect  against  potential  misuse  of  the 
product,  all  NetSonar  scans  are  identified  by  an 
“electronic  fingerprint”  tied  to  the  authorized, 
licensed  user. 


NOTE:  On  March  12,  1998,  Cisco  Systems  completed 
its  acquisition  of  WheelGroup  Corporation. 


CONTACT  INFORMATION 

Joel  McSarland 
WheelGroup  Corporation 
13750  San  Pedro,  Suite  670 
San  Antonio,  TX  78232 
Telephone:  210.494.3383 
Facsimile:  210.494.6303 
E-mail:  info@wheelgroup.com 

URL:  http://www.wheelgroup.com/ 

contact/1  contact.html 
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NSS 


TITLE 


CONTACT  INFORMATION 


Network  Security  Scanner  (NSS) 

AUTHOR _ 

Douglas  O’Neal 

SOURCE _ 

ftp://jhunix.hcf.jhu.edu/pub/nss/README 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


Douglas  O’Neal 
The  Johns  Hopkins  University 
3400  North  Charles  Street 
Baltimore,  MD  21218 
Telephone:  410.516.8000 
Facsimile:  n/a 

E-mail:  Doug.ONeal@jhu.edu 

URL:  http://www.jhu.edu/ 


REQUIREMENTS _ 

UNIX  (Perl  script),  ftplib.pl 

AVAILABILITY _ 

Freely  available  from  ftp://jhunix.hcf.jhu. 
edu/pub/nss 

ABSTRACT _ 

Network  Security  Scanner  (NSS)  scans  indi¬ 
vidual  remote  hosts  and  entire  subnets  of  hosts 
for  various  simple  network  security  problems. 

The  majority  of  the  tests  can  be  performed  by 
any  nonprivileged  user  on  a  typical  UNIX 
machine.  The  only  test  currently  implemented 
that  requires  root  privileges  is  the  check  for  a 
insecure  hosts.equiv  file.  This  test  requires  that 
a  fake  username  (e.g.,  bin)  be  fed  into  rexec. 

NSS  will  not  create  any  files  on  remote 
machines  nor  will  it  run  any  nontrivial  programs 
on  remote  machines. 

The  only  nonstandard  external  program  it 
invokes  is  ypx,  a  program  that  attempts  to  down¬ 
load  the  password  map  from  a  NIS  server.  Ypx 
was  posted  in  comp. sources. misc  and  is 
archived  in  volume  40.  NSS  also  requires  the 
ftplib.pl  package  if  running  Perl  version  4.x. 
Ftplib.pl  is  available  from  several  Perl  archives, 
for  example  ftp://anubis.ac.hmc.edu/pub/perl/ 
library/ftplib.pl.gz 

This  program  was  developed  on  a  DECstation 
5000  running  Ultrix  4.4.  It  has  had  superficial 
portability  checks  made  under  SunOS  4.1.3  and 
Irix  5.2,  but  extensive  work  has  not  been  per¬ 
formed  from  those  platforms. 
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Nfsbug 


TITLE _ 

Nfsbug 

AUTHOR _ 

Leendert  van  Doom 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/nfsbug/ 

KEYWORDS _ 

simple  vulnerability  analysis 


CONTACT  INFORMATION 

Leendert  van  Doom 
Department  of  Mathematics  and 
Computer  Science 
Vrije  Universiteit 
De  Boelelaan  1081 A 

1081  HV  Amsterdam,  THE  NETHERLANDS 
Telephone:  31.20.444.7762 
Facsimile:  31.20.444.7653 
E-mail:  leendert@cs.vu.nl 

URL:  http://www.asmodeus.com/ 

archive/Xnix/nfsbug/nfsbug.c 


REQUIREMENTS _ 

UNIX  (C  source  code) 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs.purdue.edu 
/pub/tools/unix/nfsbug/ 

ABSTRACT _ 

Nfsbug  checks  for  a  variety  of  configuration 
errors  in  NFS,  mountd,  and  portmapper  dae¬ 
mons.  Tests  check  for  specific  NFS  problems 
and  bugs  such  as  finding  worldwide-exportable 
file  systems,  determining  whether  the  export  list 
really  works,  determining  whether  file  systems 
are  mountable  through  the  portmapper,  guessing 
file  handles,  exploiting  the  mknod  bug,  and  the 
uid  masking  exploit. 
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OmniGuard/ESM 


TITLE 


CONTACT  INFORMATION 


OmniGuard/ESM 

AUTHOR _ 

AXENT 

SOURCE _ 

http://www.axent.com/ 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


AXENT  Technologies,  Inc. 

2400  Research  Boulevard 
Rockville,  MD  20850 
Telephone:  301.258.5043 
Facsimile:  301.330.5756 
E-mail:  info@axent.com 

URL:  http://www.axent.com/support/ 

support.htm 


REQUIREMENTS _  Reports  can  be  generated  from  these  results  that 

Extensive  software  platform  support  for  man-  show  the  percentage  of  network  resources  com- 
ager  and  agent  components:  Windows  NT,  Net-  plying  with  a  pre-determined  policy. 

Ware,  VMS,  IBM-AIX,  HP-UX,  SunOS,  IRIX,  and 
others. 

AVAILABILITY _ 

Commercially  available  from  http://www.axent. 
com/product/esm/esm.htm 

ABSTRACT: _ 

Omniguard/Enterprise  Security  Manager 
(ESM)  is  a  platform-independent  security  man¬ 
agement  tool  that  enables  the  user  to  manage 
and  evaluate  diverse  systems  according  to 
unique,  customizable  security  policies.  It  also 
has  an  application  Programming  interface  (API) 
that  can  be  used  to  customize  and  integrate 
security  management  for  other  security  products, 
applications,  and  databases. 

The  ESM  architecture  has  three  components: 
the  graphical  user  interface  (GUI),  manager,  and 
agent.  These  three  components  are  supported 
on  multiple  software  platforms,  although  the  GUI 
is  limited  to  UNIX  systems  compatible  with  X- 
Windows,  Windows  3.x,  95,  and  NT.  Agents 
contain  executable  modules  that  perform  security 
checking  and  correction  (based  on  policies)  at 
the  server,  workstation,  database,  or  application 
level.  Agents  can  be  run  manually  or  on  an 
automated  schedule.  The  manager  and  GUI 
serve  as  interfaces  that  manipulate  agents. 

Managers  can  also  be  used  to  set  and  apply 
security  policies  such  as  account  integrity,  back¬ 
up  integrity,  file  access  violations,  file  attributes, 
virus  checking,  proper  login  parameters,  trivial 
passwords,  system  auditing,  and  e-mail  holes. 
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Perl  Cops 


TITLE _ 

Perl  Cops 

AUTHOR _ 

Dan  Farmer 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/cops- 

perl.tar.gz 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Dan  Farmer 
3100  New  York  Drive 
Pasadena,  CA  91107 
Telephone:  626.296.2400 
Facsimile:  626.296.4130 
E-mail:  security@earthlink.net 

URL:  http://www.earthlink.net/ 

company/farmer.html 


REQUIREMENTS _ 

UNIX  (Perl  script) 

AVAILABILITY _ 

Freely  available  from 

ftp://coast.cs.purdue.edu/pub/tools/unix/cops- 

perl.tar.gz 

ABSTRACT _ 

Perl  Cops  is  a  security  toolkit  that  examines  a 
system  for  a  number  of  known  weaknesses  and 
alerts  the  system  administrator  to  them.  This  is 
a  smaller,  Perl  version  of  Computer  Oracle  and 
Password  System  (COPS). 

The  user  can  specify  the  target  (uid  or  gid)  on 
the  command  line,  using  the  -I  option  to  generate 
PAT  for  a  goal,  and  use  -f  to  preload  file  owner, 
group  and  mode  information.  This  preloading  is 
helpful  in  terms  of  speed  and  avoiding  file  sys¬ 
tem  "shadows.”  Features  include  caches  for  the 
passwd/group  file  entries  for  faster  lookups. 
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PINGWARE 


TITLE _ 

PINGWARE 

AUTHOR _ 

Bellcore 

SOURCE _ 

http://www.bellcore.com 

KEYWORD _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Bellcore 

8  Corporate  Place,  PYA3A-184 

Piscataway,  NJ  088544156 

Telephone:  800.521.2673 

Facsimile:  732.366.2559 

Email:  telecom-info@bellcore.com 

URL:  http://telecom-info.bellcore.com/ 


REQUIREMENTS _ 

SunOS  4.1  or  above,  Solaris  2.3,  HP-UX  9.x 

AVAILABILITY _ 

Commercially  available  from  http://telecom- 
info.bellcore.com/.  Refer  to  document  number 
OOA-1005 

ABSTRACT _ 

PINGWARE  systematically  scans  and  tests  all 
the  systems  on  a  Transmission  Control 
Protocol/Internet  Protocol  (TCP/IP)  based  net¬ 
work  from  a  single  workstation.  It  checks  for 
security  vulnerabilities  on  the  target  system  from 
the  network  (i.e.,  outside  the  system).  It  simu¬ 
lates  an  intruder  by  exploiting  common  configu¬ 
ration  errors  and  known  bugs  in  TCP/IP-based 
services  to  access  the  system  from  the  network. 

It  identifies  the  systems  vulnerable  to  attack  and 
generates  a  report  detailing  the  weak  points  in 
the  network. 

Features  include  multiprocessing  testing  capa¬ 
bility,  network  inventory,  retrieval  of  key  system 
files,  reporting  and  results  management.  Vulner¬ 
ability  tests  include  finger,  ftp,  http,  NFS, 
rlogin/rsh,  rpcinfo,  sendmail,  tftp,  xhost,  and 
password  cracking. 
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RiskWatch  7.1 


TITLE 


CONTACT  INFORMATION 


RiskWatch  7.1  for  Information  Systems 


AUTHOR _ 

RiskWatch 

SOURCE _ 

http://www.riskguard.com/prod01.htm 

KEYWORDS _ 

risk  analysis 


Caroline  R.  Hamilton 
900  Bestgate  Rd.,  Suite  210 
Annapolis,  MD  21401 
Telephone:  410.224.4773 
Facsimile:  410.224.4995 
E-mail:  riskwatch@riskguard.com 

URL:  http://www.riskguard.com/ 

prod01.htm 


REQUIREMENTS _ 

Windows  3. lx,  Windows  for  Workgroups,  Win¬ 
dows  95,  Windows  NT  3.51  and  4.0 

AVAILABILITY _ 

Commercially  available  from  http://www.risk- 
guard.com/ 

ABSTRACT _ 

RiskWatch  7.1  for  Information  Systems  con¬ 
ducts  automated  risk  analysis  and  vulnerability 
assessments  of  information  systems,  including 
data  centers,  application  programs,  facilities,  net¬ 
works,  and  field  offices.  RiskWatch  uses  data 
generated  by  the  risk  analysis  to  provide  on-line 
risk  management  and  generate  a  variety  of 
reports.  RiskWatch  is  completely  customizable 
by  the  user,  including  allowing  the  user  to  create 
new  asset  categories,  threat  categories,  vulnera¬ 
bility  categories,  safeguards,  question  cate¬ 
gories,  and  question  sets.  Users  can  also  auto¬ 
matically  import  questions  and  data  created  by 
other  users  into  their  analysis. 

RiskWatch  automatically  creates  questionnaire 
diskettes,  which  are  used  by  respondents  and 
returned  to  the  risk  analysis  manager  for  pro¬ 
cessing.  Diskettes  are  created  by  the  RiskWatch 
software  on  high  or  low  density  3.5”  floppy 
diskettes.  Executables  for  the  diskettes  are 
included  on  the  diskette.  Users  may  generate 
an  unlimited  number  of  questionnaire  disks. 
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SATAN 


TITLE _ 

Security  Analysis  Tool  for  Auditing  Networks 
(SATAN) 

AUTHOR _ 

Dan  Farmer 
Wietse  Venema 

SOURCE _ 

http://www.fish.com/satan/ 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Dan  Farmer 
3100  New  York  Drive 
Pasadena,  CA  91107 
Telephone:  626.296.2400 
Facsimile:  626.296.4130 
E-mail:  security@earthlink.net 

URL:  http://www.earthlink.net/ 

company/farmer.html 


REQUIREMENTS _ 

UNIX  (Perl  script,  expect,  C  source  code) 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs.purdue. 
edu/  pub/tools/unix/satan/ 

ABSTRACT _ 

SATAN  scans  systems  connected  to  the  net¬ 
work  noting  the  existence  of  well-known,  often- 
exploited  vulnerabilities.  SATAN  examines  a 
remote  host  or  set  of  hosts  and  gathers  as  much 
information  as  possible  by  remotely  probing  NIS, 
finger,  NFS,  ftp  and  tftp,  rexd,  and  other  ser¬ 
vices.  This  information  includes  the  presence  of 
various  network  information  services  as  well  as 
potential  security  flaws  involving  misconfigured 
setup  and  network  services  and  known  bugs  in 
system  or  network  utilities.  It  then  can  either 
report  on  these  data  or  use  an  expert  system  to 
further  investigate  any  potential  security  prob¬ 
lems.  SATAN  consists  of  several  sub-programs, 
each  of  which  is  an  executable  file  that  tests  a 
host  for  a  given  potential  weakness.  Additional 
test  programs  can  be  used  by  including  the  exe¬ 
cutable  in  the  main  directory  with  the  extension 
“.sat."  The  driver  generates  a  set  of  targets 
(using  DNS  and  a  fast  version  of  ping  together  to 
get  “live”  targets)  and  then  executes  each  of  the 
programs  on  each  of  the  targets.  Three  depths 
of  scans  are  offered:  light,  normal,  and  heavy.  A 
data  filtering/interpreting  program  analyzes  the 
output  and  a  reporting  program  produces  format¬ 
ted  output. 

SATAN  has  not  been  updated  since  its  devel¬ 
opment  (c.  1995)  and  may  not  be  able  to  detect 
certain  vulnerabilities.  For  additional  information, 
see:  CIAC  Notes  95-07  &  CIAC  Notes  95-08. 
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Secure  Sun 


TITLE _ 

Secure  Sun 

AUTHOR _ 

David  Safford 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/secure- 

sun-check 

KEYWORDS 


CONTACT  INFORMATION 

David  Safford 

Director,  TAMU  Supercomputer  Center 
Texas  A&M  University 
College  Station,  TX  77843-0100 
Telephone:  409.845.1004 
Facsimile:  409.845.0727 
Email:  d-safford@tamu.edu 

URL:  http://www.cs.tamu.edu/ 


simple  vulnerability  analysis 


REQUIREMENTS _ 

UNIX  (shell  script).  Specific  to  SunOS  4.0.3 
and  4.1. 

No  special  privileges. 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs. purdue. 
edu/pub/tools/unix/secure-sun-check 

ABSTRACT _ 

This  program  checks  for  14  common  SunOS 
configuration  security  vulnerabilities.  Each  test 
reports  its  findings  and  offers  to  fix  any  discov¬ 
ered  problems.  The  program  must  be  run  as 
root  to  fix  any  of  the  problems,  but  it  can  be  run 
from  any  account  by  replying  VnV  to  any  fix 
requests.  It  has  only  been  tested  under  SunOS 
4.0.3  on  Sun4,  Sun3,  and  Sun386i  machines. 

The  14  checks  made  are:  fix  ttytab  to  disable 
b  -s  problem,  check  /etc/hosts. equiv  either  null 
or  at  least  no  +,  disable  tftp  \(nonserver\),  or  add 
secure  switch  \(server\),  fix  rep  hole,  check 
rootVs  path  for,  check  dirs  in  rootVs  path  not 
writeable  by  others,  check  that  /etc/passwd  on 
ypserver  does  not  have  client  line,  check  that 
uucp  decode  alias  is  removed  from  /etc/aliases, 
check  /etc/utmp  is  not  world  writeable,  check 
that  rexd  is  disabled  in  /etc/inetd.conf,  disable 
login  shell  for  uucp,  check  for  null  /.rhosts,  check 
for  accounts  with  no  password,  and  check  for 
back-door  root  accounts. 


33 


Snoopy  Tools 


TITLE _ 

Snoopy  Tools 

AUTHOR _ 

The  MITRE  Corporation 

SOURCE _ 

http://infosec.nosc.mil/content.html 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

W.  Reid  Gerhart 

The  MITRE  Corporation,  MS:  B325 
202  Burlington  Rd 
Bedford,  MA  01730-1420 
Telephone:  617.271.3738 
Facsimile:  617.271.3957 
Email:  wrg@mitre.org 

URL:  http://www.mitre.org/resources/ 

centers/infosec/infosec.html 


REQUIREMENTS _ 

Operate  on  a  host  (with  a  network  interface) 
running  UNIX  (C  source  code).  Tested  on 
SunOS  4.x.  Graphical  interface  to  Snoopy  Tools, 
xsnoopy,  runs  under  the  XII  window  system. 
Requires  the  Motif  libraries  and  10  MB  of  disk 
space  to  compile. 

AVAILABILITY _ 

Developed  for  NAVCOMSTAR  Vulnerability 
Assessment,  Department  of  the  Navy  Space  and 
Naval  Warfare  Systems  Command  Naval  Infor¬ 
mation  Systems  Security  Office,  PMW  161,  Pre¬ 
pared  by  Michelle  Gosselin,  Dan  Vukelich,  Len 
LaPadula  (Ed.),  The  MITRE  Corporation.  March 
1996. 

ABSTRACT _ 

Snoopy  Tools  is  a  suite  of  programs  that  deter¬ 
mine  what  network  services  are  running  under 
Transmission  Control  Protocol/Internet  Protocol 
(TCP/IP)  and  attempt  to  exploit  bugs  in  those 
services.  Snoopy  probes  hosts  across  a  network 
in  a  non-intrusive  manner  by  acting  as  an  unpriv¬ 
ileged  client  of  the  various  services  that  are 
probed.  The  only  indications  that  Snoopy  is  run¬ 
ning  are  a  possible  brief  spike  in  network  activity 
and  the  audit  log  entries  maintained  by  the  hosts’ 
servers. 

Snoopy  remotely  probes  hosts  to  determine 
whether  selected  security  flaws  are  present  in 
TCP/IP  network  services.  It  can  act  as  a  net¬ 
work  sniffer  to  capture  Novell  network  passwords 
and  can  scan  AppleTalk  networks  for  any  read¬ 
able  files. 

When  Snoopy  finds  a  host  running  TFTP,  it 
attempts  to  retrieve  the  password  file  for  later 
use  in  a  cracking  attack.  However,  if  the  pass¬ 


word  file  is  “shadowed,”  meaning  that  the  pass¬ 
words  were  not  contained  in  /etc/passwd  but 
rather  in  a  shadow  password  file,  the  opportunity 
to  crack  the  passwords  of  valid  system  users  is 
minimized. 
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SPI-NET 


TITLE _ 

SPI-NET 

AUTHOR _ 

Sandy  Spark 

SOURCE _ 

http://ciac.llnl.gov/cstc/spi/spinet.html 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Sandy  Spark 

Computer  Incident  Advisory  Capability 
University  of  California 
Lawrence  Livermore  National  Laboratory 
7000  East  Ave. 

P.O.  Box  808 
Livermore,  CA  94550 
Telephone:  510.422.8193 
Facsimile:  510.423.8002 
Email:  ciac@llnl.gov 

URL:  http://ciac.llnl.gov 


REQUIREMENTS _ 

UNIX  (C  source).  Tested  on  HP-UX  10.x,  IRIX 
5.x,  SunOS  4.x,  and  SunOS  5.x 

AVAILABILITY _ 

Free  SPI-NET  distributions  are  limited  to  U.S. 
Government  agencies  and  to  contractors  to  the 
U.S.  Department  of  Energy  and  U.S.  Department 
of  Defense.  Ongoing  commercialization  efforts 
preclude  free  distribution  and  use  by  private 
industry. 

ABSTRACT _ 

SPI-NET  supports  multihost  system  security 
inspections  managed  from  a  designated  “com¬ 
mand  host.”  These  inspections  include  access 
control  testing,  system  file  authentication,  file 
system  change  detection,  password  testing,  and 
common  system  vulnerability  checks.  SPI-NET 
supports  flexible  inspection  specification  and 
scheduling,  and  provides  reasonable  default  set¬ 
tings.  All  SPI-NET  command  and  data  traffic  is 
protected  by  public  key  encryption  techniques. 

The  binary  distributions  come  in  two  forms: 

The  “Stand-Alone”  binaries  support  the  com¬ 
mand-host  installation  and  are  required  for  at 
least  one  host  in  a  SPI-NET  security  domain. 

The  “Detached”  binaries  provide  the  capability  to 
inspect  additional  remote  host  machines  under 
the  control  of  the  command-host.  Both  Stand- 
Alone  and  Detached  packages  come  with  Instal¬ 
lation/Setup  scripts  for  ease  of  installation. 
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Strobe 


TITLE 


CONTACT  INFORMATION 


Strobe 

AUTHOR _ 

Julian  Assange 

SOURCE _ 

ftp://suburbia.net:/pub/strobe.tgz 

KEYWORDS _ 

strobe  vulnerability  analysis 


Julian  Assange 

PO  Box  2031  Barker  VIC  3122 
AUSTRALIA 
Telephone:  n/a 
Facsimile:  61.3.9819.9066 
Email:  strobe@suburbia.net 

proff@suburbia.net 

URL:  ftp://coast.cs.purdue.edu/ 

pub/tools/unix/strobe/ 


REQUIREMENTS _ 

UNIX  (C  source  code) 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs.purdue. 
edu/pub/tools/unix/strobe/strobe.tgz 

ABSTRACT _ 

Strobe  is  a  network  security  tool  that  locates 
and  describes  all  listening  top  ports  on  a 
(remote)  host  or  on  many  hosts.  Strobe  approxi¬ 
mates  a  parallel  finite  state  machine  internally. 

In  nonlinear  multihost  mode,  it  attempts  to 
apportion  bandwidth  and  sockets  among  the 
hosts  very  efficiently.  On  a  machine  with  a  rea¬ 
sonable  number  of  sockets,  Strobe  can  port 
scan  entire  Internet  sub-domains. 
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System  Security  Scanner 


TITLE 


CONTACT  INFORMATION 


System  Security  Scanner 

AUTHOR _ 

Internet  Security  Systems 

SOURCE _ 

http://www.iss.net/prod/isb.html 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


Patrick  Taylor 
41  Perimeter  Center  East 
Suite  660 
Atlanta,  GA  30346 
Telephone:  770.395.0150 
Facsimile:  770.395.1972 
Email:  info@iss.net 

URL:  http://www.iss.net 


REQUIREMENTS _ 

SunoS  4.1. 3-4.1. 4,  Solaris  2.3-2.5.1,  AIX 
3.2.5-4.2,  HP-UX  9.05-1 0.x,  Irix  6.2-6.4,  and 
Linux  1.2.13+. 

AVAILABILITY _ 

Commercial.  $495  for  a  single  server  license 
or  $3,500  for  a  10-server  license.  Evaluation 
copy  available  from  company  at 
http://www.iss.net. 

ABSTRACT _ 

System  Security  Scanner  assesses  operating 
system  configuration,  file  permissions  and  own¬ 
ership,  network  services,  account  setups,  pro¬ 
gram  authenticity,  and  common  user-related 
security  issues  such  as  guessable  passwords. 

System  Security  Scanner  is  part  of  the  SAFE- 
suite  line  of  adaptive  security  management  solu¬ 
tions.  These  technologies  give  a  thorough  view 
of  security  threats  and  vulnerabilities  in  network 
traffic,  Web  sites,  firewalls,  and  UNIX  and  Win¬ 
dows  NT  operating  systems.  Once  vulnerabili¬ 
ties  are  identified,  System  Security  Scanner  pri¬ 
oritizes  its  findings  by  high,  medium,  or  low  lev¬ 
els  of  risk.  It  provides  reports  and  appropriate 
corrective  actions  and  generates  scripts  to  auto¬ 
matically  correct  vulnerabilities. 

System  Security  Scanner’s  open  database 
structure  and  highly  flexible  report  engine  pro¬ 
vide  data  in  both  management  and  implementa¬ 
tion  formats. 
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Tiger 


TITLE _ 

Tiger 

AUTHOR _ 

Doug  Schales 

SOURCE _ 

ftp://coast.cs.purdue.edu/pub/tools/unix/tiger/ 

KEYWORDS _ 

comprehensive  vulnerability  analysis 


CONTACT  INFORMATION 

Doug  Schales 

Department  of  Computer  Science 
Texas  A&M  University 
College  Station,  TX  77843-3112 
Telephone:  409.845.5098 
Facsimile:  409.847.8578 
Email:  Doug.Schales@net.tamu.edu 

URL:  http://www.cs.tamu.edu/ 


REQUIREMENTS _ 

UNIX  (Bourne  shell  script,  C  source  code) 

AVAILABILITY _ 

Freely  available  from  ftp://coast.cs. purdue. 
edu/  pub/tools/unix/tiger/ 

ABSTRACT _ 

Tiger  is  used  to  check  for  security  problems 
on  a  UNIX  system.  It  scans  system  configura¬ 
tion  files,  file  systems,  and  user  configuration 
files  for  possible  security  problems  and  reports 
them.  Tiger  was  originally  developed  to  provide 
a  check  of  UNIX  systems  on  the  Texas  A&M 
campus  that  users  wanted  to  access  from  off 
campus.  (Clearance  was  provided  through  the 
packet  filter.) 
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ToneLoc 


TITLE _ 

ToneLoc 

AUTHOR _ 

Minor  Threat  and  Mucho  Maas 

SOURCE _ 

ftp.paranoia.com/pub/toneloc/tl110.zip 

KEYWORD _ 

war  dialers 


CONTACT  INFORMATION 


Name: 

Unavailable 

Address: 

Unavailable 

Telephone: 

Unavailable 

Facsimile: 

Unavailable 

Email: 

mthreat@paranoia.com  -or- 
mthreat@ccwf.cc.utexas.edu 

URL: 

http://oberon.ark.com/-john/ 

frozenhell/files.html 

REQUIREMENTS _ 

Windows  3.X/95/NT,  DOS  6.x,  modem 

AVAILABILITY _ 

Freely  available  from  ftp://ftp.paranoia.com/ 
pub/toneloc/tl  110.zip 

ABSTRACT: _ 

This  software  is  designed  to  scan  a  block  of 
telephone  numbers  for  an  active  dial-up  service. 
This  tool  may  be  useful  to  administrators  who 
are  unsure  whether  possible  back  doors  are  pre¬ 
sent  in  their  computer  or  telephone  network. 
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Trident  Information  Protection  Toolbox 


TITLE 


CONTACT  INFORMATION 


Trident  Information  Protection  Toolbox 

AUTHOR _ 

Trident  Data  Systems 

SOURCE _ 

http://www.tds.com/tb/index.html 

KEYWORDS _ 

risk  analysis 


Brian  Finan 

10455  White  Granite  Drive,  Suite  400 
Oakton,  VA  22124 
Telephone:  703.383.3686 
Facsimile:  703.383.3530 
Email:  Brian_Finan@tds.com 

URL:  http://www.tds.com/tb/ 

index.html#anal 


REQUIREMENTS _ 

Operates  on  Windows  95  and  NT  4.0 

AVAILABILITY _ 

Commercially  available  from 
http://www.tds.eom/tb/index.html#anal 

ABSTRACT _ 

Trident’s  Toolbox  is  a  set  of  three  complemen¬ 
tary  tools  that  assist  in  protecting  critical  informa¬ 
tion  assets.  Toolbox  is  a  more  specific  and 
advanced  version  of  the  company’s  highly  suc¬ 
cessful  NetRISK  product. 

The  Trident  Information  Protection  Toolbox 
includes:  Trident  Information  Protection  Analyst, 
a  comprehensive  risk  management  software  for 
networks;  Trident  Information  Protection  Archi¬ 
tect,  an  automated  network  mapping  and  securi¬ 
ty  design;  and  Trident  Information  Protection 
Library,  a  comprehensive  information  security 
database. 

Analyst  automates  the  risk  assessment 
process,  provides  summary  and  detailed  reports 
of  the  security  risks  present  in  networks,  and 
offers  solutions  for  reducing  those  risks.  The 
Architect  automatically  identifies  and  graphically 
maps  all  of  the  hardware,  services,  and  dial-up 
modem  entry  points.  Library  is  a  comprehensive 
reference  of  current  computer  security  informa¬ 
tion.  Its  relational  database  format  allows 
access  to  Analyst  and  Architect.  The  Library 
contains  an  extensive  inventory  of  computer  vul¬ 
nerabilities  with  appropriate  safeguards  or  patch¬ 
es  for  each  vulnerability. 
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VISART 


TITLE _ 

Value  of  Information  Structured  Analysis  of 
Risk  Tool  (VISART) 

AUTHOR _ 

Dr.  Donald  R.  Peeples 

SOURCE _ 

National  Security  Agency 

KEYWORDS _ 

risk  analysis 


CONTACT  INFORMATION 

Dr.  Donald  R.  Peeples 
National  Security  Agency  (VI) 

Ft.  Meade,  MD  20755-6755 
Telephone:  410.859.4704 
Facsimile:  n/a 
Email:  n/a 

URL:  http://www.nsa.gov/ 


REQUIREMENTS _ 

Tool  is  currently  under  development. 

AVAILABILITY _ 

Tool  is  currently  under  development 

ABSTRACT _ 

VISART  is  a  risk  management  tool  currently 
under  development  by  Dr.  Donald  Peeples  at 
NSA’s  Information  Security  systems  Office 
(ISSO).  This  tool  allows  the  user  to  analyze  sys¬ 
tems,  their  vulnerabilities,  and  possible  threats, 
and  quantify  what  types  of  countermeasures  are 
justifiable  in  terms  of  cost.  The  process  begins 
with  the  collection  of  data  to  describe  baseline 
procedures  (risks  and  probabilities),  including 
total  aggregated  risk.  Once  this  is  completed,  a 
set  of  appropriate  countermeasures  are  suggest¬ 
ed,  and  the  tool  can  be  rerun  to  determine  actual 
effectiveness.  (Cost  is  based  on  level  of  securi¬ 
ty.) 
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XSCAN 


TITLE _ 

XScan 

AUTHOR _ 

Unknown 

SOURCE _ 

http://www.giga.or.at/pub/hacker/unix 

KEYWORDS _ 

simple  vulnerability  analysis 


CONTACT  INFORMATION 

Name:  Unavailable 

Address:  Unavailable 

Telephone:  Unavailable 

Facsimile:  Unavailable 

Email:  pendleto@math.ukans.edu 

URL:  Unavailable 


REQUIREMENTS _ 

Linux  or  SunoS,  4.1.4,  X  system  (C  source 
code) 

AVAILABILITY _ 

Freely  available  from  http://www.giga.or.at/pub/ 
hacker/unix/xscan.tar.gz 

ABSTRACT _ 

This  utility  scans  a  host,  or  a  range  of  hosts, 
for  unprotected  X  displays.  If  an  unprotected 
display  is  discovered,  this  utility  monitors  that 
connection  and  logs  all  keystrokes  made  on  the 
display.  This  is  a  useful  tool  to  exploit  pass¬ 
words  that  may  be  obtained  from  the  local 
machine  or  remote  machine  depending  on  what 
the  scanned  target  is  doing  with  the  open  dis¬ 
play.  System  administrators  can  use  this  tool  to 
determine  whether  users  are  adequately  restrict¬ 
ing  those  hosts  that  can  connect  to  their  active  X 
sessions. 
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